In order to protect a computer system from unauthorized access of a malicious third party, “authentication (or certification)” of a user is performed commonly. A simple example of the user authentication includes using a combination of a user ID and a password. With regard to the user authentication, various ways are proposed according to a required security level and a user environment.
For example, Patent Document 1 set forth below discloses a user authentication method that uses a geometric pattern for deriving a password (referred to as a “password derivation pattern” or “password extraction pattern”) instead of using the password itself. Specifically, Patent Document 1 discloses a user authentication method and a user authentication system wherein a password derivation pattern is registered in a authentication server for each user in advance, the authentication server generates a presentation pattern and presents the presentation pattern to the user and allows the user to enter the password corresponding to the password derivation pattern of the user in the presentation pattern when the user uses a system, the authentication server performs the authentication of the entered password based on the presented presentation pattern and the registered password derivation pattern of the user, and a usage target system is notified of the authentication result made. In Patent Document 1, an information communication terminal device of the user is used for presenting the presentation pattern.
Further, authentication using a one-time password (OTP) is a user authentication method in which, instead of or in addition to the combination of the user ID and the password, a “disposable” password that is valid only once, i.e., a “one-time password” is issued. In the user authentication method based on the OTP, a server of an authenticator and a device of a person to be authenticated (i.e., user) inevitably share the OTP that is synchronized with the server and the device. For example, the authentication server and the user device generate the OTP in time synchronization with each other by using a common seed (or secret key) and a common random number generation algorithm. The OTP that is issued so as to be synchronized in terms of time is referred to as a time synchronous one-time password (Time synchronous OTP) or a time-based one-time password (Time-based OTP) (TOTP), and is adapted so as to be updated in a relatively short time cycle of, e.g., 30 seconds or 60 seconds such that sufficient time for a malicious challenge is not given to a third party. In order to implement the TOTP authentication, the user is provided with a security token such as, e.g., a hardware token or a software token from the authenticator in advance.
For example, Patent Document 2 shown below discloses a one-time password system that includes a server device and a one-time password device that generates the one-time password that is used when communication with the server device is performed.
Moreover, Patent Document 3 discloses a time synchronous one-time password authentication method capable of easily changing time when a server and an OTP device are synchronized. Specifically, Patent Document 3 discloses operating an OTP device 3 to implement the steps of: acquiring a time difference used for determining time when the OTP device 3 and a server 1 are synchronized; and determining time in which the time difference is reflected and generating the time synchronous one-time password that uses the determined time, and also discloses operating the server 1 to implement the steps of: determining the time in which the time difference is reflected; generating the time synchronous one-time password that uses the time; and comparing the time synchronous one-time password generated by the server 1 with the time synchronous one-time password generated by the OTP device 3 to certificate a user.